Exploiting CVE-2021-41073 in io_uring
Valentina Palmiotti published an excellent write-up about exploiting a type confusion in io_uring to gain root privileges.
This bug allows freeing arbitrary slab allocations from the kmalloc-32 cache.
Valentina described how she constructed these exploit primitives:
✔️ UAF in kmalloc-32
✔️ Kernel heap info-leak
✔️ Control flow hijacking
✔️ Illegal privilege escalation
The researcher also described her experience with responsible disclosure.
Valentina Palmiotti published an excellent write-up about exploiting a type confusion in io_uring to gain root privileges.
This bug allows freeing arbitrary slab allocations from the kmalloc-32 cache.
Valentina described how she constructed these exploit primitives:
✔️ UAF in kmalloc-32
✔️ Kernel heap info-leak
✔️ Control flow hijacking
✔️ Illegal privilege escalation
The researcher also described her experience with responsible disclosure.
Compilers: The Old New Security Frontier
Brad Spengler published the slides from his talk at BlueHat IL 2022.
He gave an overview of open problems in operating system security and described how compiler plugins could help.
Brad Spengler published the slides from his talk at BlueHat IL 2022.
He gave an overview of open problems in operating system security and described how compiler plugins could help.
The Discovery and Exploitation of CVE-2022-25636
Nick Gregory published an article about exploiting a heap out-of-bounds write in netfilter. The researcher managed to hijack the kernel control flow.
Nick Gregory published an article about exploiting a heap out-of-bounds write in netfilter. The researcher managed to hijack the kernel control flow.
nickgregory.me
The Discovery and Exploitation of CVE-2022-25636 · Nick Gregory
Security research, programming, and more.
Racing against the clock — hitting a tiny kernel race window
An article by Jann Horn on using hardware timers to widen race condition windows.
Jann applied his method to a race condition in the garbage collector for unix sockets, which had a race window of only 12 instructions.
The article also contains Jann's investigations on the precision of hardware timers in Intel CPUs.
An article by Jann Horn on using hardware timers to widen race condition windows.
Jann applied his method to a race condition in the garbage collector for unix sockets, which had a race window of only 12 instructions.
The article also contains Jann's investigations on the precision of hardware timers in Intel CPUs.
projectzero.google
Racing against the clock -- hitting a tiny kernel race window - Project Zero
TL;DR: How to make a tiny kernel race window really large even on kernels without CONFIG_PREEMPT:use a cache miss to widen the race window a little bit...
🔥4
CVE-2022-27666: Exploit esp6 module in Linux kernel
Xiaochen Zou aka ETenal published an article on exploiting a page_alloc-out-of-bounds in the esp6 crypto module.
The researcher:
1️⃣ performed page-level heap fengshui to gain page_alloc-to-slab overflow,
2️⃣ constructed arbitrary read/write using the msg_msg kernel object,
3️⃣ finally achieved root privileges via modprobe_path overwrite.
The article comes with excellent animated diagrams.
Xiaochen Zou aka ETenal published an article on exploiting a page_alloc-out-of-bounds in the esp6 crypto module.
The researcher:
1️⃣ performed page-level heap fengshui to gain page_alloc-to-slab overflow,
2️⃣ constructed arbitrary read/write using the msg_msg kernel object,
3️⃣ finally achieved root privileges via modprobe_path overwrite.
The article comes with excellent animated diagrams.
🔥9👍5
How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables
A detailed article by David Bouman about exploiting an integer-overflow leading to a limited stack-out-of-bounds read/write in the nf_tables module.
The exploit constructs a filter whose logic depends on the value of a kernel address that happens to be on the stack. This way, it leaks the KASLR offset by observing the side-effects.
The exploit then builds a ROP chain that leaves the softirq context where the bug is triggered, switches to the root network namespace, and gains root privileges.
A detailed article by David Bouman about exploiting an integer-overflow leading to a limited stack-out-of-bounds read/write in the nf_tables module.
The exploit constructs a filter whose logic depends on the value of a kernel address that happens to be on the stack. This way, it leaks the KASLR offset by observing the side-effects.
The exploit then builds a ROP chain that leaves the softirq context where the bug is triggered, switches to the root network namespace, and gains root privileges.
David's Blog
How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables
Analysis and exploitation of Linux kernel vulnerabilities CVE-2022-1015 and CVE-2022-1016. I talk about how I found these vulnerabilities, explain the internals of nf_tables and come up with an local privilege escalation exploitation strategy.
🔥5👍1
Writing a Linux Kernel Remote [Exploit] in 2022
An article by Samuel Page @sam4k1 about writing an exploit for a remotely-triggerable stack-buffer-overflow in TIPC (CVE-2022-0435).
Assuming the absence of KASLR and the Stack Protector, the exploit overwrites the stack with a ROP chain that hooks a syscall to hijack a root process.
An article by Samuel Page @sam4k1 about writing an exploit for a remotely-triggerable stack-buffer-overflow in TIPC (CVE-2022-0435).
Assuming the absence of KASLR and the Stack Protector, the exploit overwrites the stack with a ROP chain that hooks a syscall to hijack a root process.
👍9🔥1
Looking for Remote Code Execution bugs in the Linux kernel
I wrote an article about fuzzing the Linux kernel network stack externally with syzkaller.
The article covers:
🧰 Introduction to syzkaller
💉 Using TUN/TAP for injecting packets into the kernel
🚚 Patching TUN/TAP for collecting coverage via KCOV
👽 Adding pseudo-syscalls for network fuzzing
🗄 Describing packet structure in syzlang
🏆 Showcases of found bugs
In the article, I put a focus on the presentation: highlighted syzlang code, made interactive snippets, added side notes that are actually on the side. I also implemented a dynamic table of contents (only visible on large screens).
The described work was done a few years ago, but I consider it still relevant. The recent trend of looking for remote Linux kernel exploits is quite exciting! I hope to see even more research in this area.
I wrote an article about fuzzing the Linux kernel network stack externally with syzkaller.
The article covers:
🧰 Introduction to syzkaller
💉 Using TUN/TAP for injecting packets into the kernel
🚚 Patching TUN/TAP for collecting coverage via KCOV
👽 Adding pseudo-syscalls for network fuzzing
🗄 Describing packet structure in syzlang
🏆 Showcases of found bugs
In the article, I put a focus on the presentation: highlighted syzlang code, made interactive snippets, added side notes that are actually on the side. I also implemented a dynamic table of contents (only visible on large screens).
The described work was done a few years ago, but I consider it still relevant. The recent trend of looking for remote Linux kernel exploits is quite exciting! I hope to see even more research in this area.
Andrey Konovalov
🔍 Looking for Remote Code Execution bugs in the Linux kernel
Using syzkaller to fuzz the Linux kernel network stack externally
🔥16👍3
Learning Linux kernel exploitation — Part 2 — CVE-2022-0847
A detailed article by 0xricksanchez about the Dirty Pipe vulnerability and its exploitation. The article also recaps Dirty Cow and compares it to Dirty Pipe.
A detailed article by 0xricksanchez about the Dirty Pipe vulnerability and its exploitation. The article also recaps Dirty Cow and compares it to Dirty Pipe.
Low-level adventures
Learning Linux kernel exploitation - Part 2 - CVE-2022-0847
Continuing to walk down Linux Kernel exploitation lane. This time around with an unanticipated topic: DirtyPipe as it actually nicely fits the series as an example.
🔥2👍1
Exploiting Dirty Pipe on Android
Two publications about exploiting Dirty Pipe on Android. Both use similar techniques without additional vulnerabilities.
1. Notes and an exploit by polygraphene.
2. Slides by Giovanni Rocca.
Two publications about exploiting Dirty Pipe on Android. Both use similar techniques without additional vulnerabilities.
1. Notes and an exploit by polygraphene.
2. Slides by Giovanni Rocca.
GitHub
DirtyPipe-Android/TECHNICAL-DETAILS.md at master · polygraphene/DirtyPipe-Android
Dirty Pipe root exploit for Android (Pixel 6). Contribute to polygraphene/DirtyPipe-Android development by creating an account on GitHub.
👍5😱3👎2
Tetragone: A Lesson in Security Fundamentals
An article by Pawel Wieczorkiewicz and Brad Spengler about bypassing post-exploitation detection provided by Tetragon.
The article also expands on the impossibility of preventing malicious post-exploitation activity if the prevention component works at the same privilege level as the attacked code.
Similar concerns affect LKRG. Check out the LKRG bypass article by Alexander Popov for the details.
An article by Pawel Wieczorkiewicz and Brad Spengler about bypassing post-exploitation detection provided by Tetragon.
The article also expands on the impossibility of preventing malicious post-exploitation activity if the prevention component works at the same privilege level as the attacked code.
Similar concerns affect LKRG. Check out the LKRG bypass article by Alexander Popov for the details.
grsecurity.net
grsecurity - Tetragone: A Lesson in Security Fundamentals
In this blog post, we take the reader on a journey through a bypass of a new eBPF-based observability and mitigation tool named Tetragon, developed in the two hours after the tool was first set up, as a hopefully instructive lesson on the importance of security…
👍5
A Kernel Hacker Meets Fuchsia OS
Alexander Popov (me) published an article about hacking the Zircon microkernel of Fuchsia OS.
Experience in Linux kernel security helped to assess Fuchsia OS from the attacker's point of view.
Summary:
🟪 Fuchsia security architecture
🟪 Exploit development experiments for the Zircon microkernel
🟪 PoC attack planting a rootkit into the microkernel
Alexander Popov (me) published an article about hacking the Zircon microkernel of Fuchsia OS.
Experience in Linux kernel security helped to assess Fuchsia OS from the attacker's point of view.
Summary:
🟪 Fuchsia security architecture
🟪 Exploit development experiments for the Zircon microkernel
🟪 PoC attack planting a rootkit into the microkernel
Alexander Popov
A Kernel Hacker Meets Fuchsia OS
Fuchsia is a general-purpose open-source operating system created by Google. It is based on the Zircon microkernel written in C++ and is currently under active development. The developers say that Fuchsia is designed with a focus on security, updatability…
🔥16👍4
kconfig-hardened-check: new feature
kconfig-hardened-check is a tool for checking the security hardening options of the Linux kernel.
Initially, it supported checking compile-time Kconfig options that are relevant for security.
And now this tool can also check the kernel cmdline options, aka boot parameters.
kconfig-hardened-check is a tool for checking the security hardening options of the Linux kernel.
Initially, it supported checking compile-time Kconfig options that are relevant for security.
And now this tool can also check the kernel cmdline options, aka boot parameters.
GitHub
GitHub - a13xp0p0v/kernel-hardening-checker: A tool for checking the security hardening options of the Linux kernel
A tool for checking the security hardening options of the Linux kernel - a13xp0p0v/kernel-hardening-checker
👍9🤔2
Fuzzing USB with Raw Gadget
Slides and video from a talk by Andrey Konovalov on fuzzing USB drivers.
The talk covers:
🤖 Raw Gadget — a new interface for emulating USB devices
🪶 Fuzzing in a VM via virtual USB controllers
🔌 Reproducing found bugs via Raspberry Pi Zero
Slides and video from a talk by Andrey Konovalov on fuzzing USB drivers.
The talk covers:
🤖 Raw Gadget — a new interface for emulating USB devices
🪶 Fuzzing in a VM via virtual USB controllers
🔌 Reproducing found bugs via Raspberry Pi Zero
Google Docs
2022, BSides Munich: Fuzzing USB with Raw Gadget
Fuzzing USB with Raw Gadget Andrey Konovalov, xairy.io BSides Munich May 16th 2022
👍10🔥8
Linux kernel heap feng shui in 2022
An article by Michael S and Vitaly Nikolenko describing the kernel changes that affected exploitation techniques for slab-related vulnerabilities over the last few years.
An article by Michael S and Vitaly Nikolenko describing the kernel changes that affected exploitation techniques for slab-related vulnerabilities over the last few years.
Duasynt
Linux kernel heap feng shui in 2022 - Michael S, Vitaly Nikolenko
👍8🔥2🤔1
Two eBPF exploits
Exploits for two bugs in the eBPF code, CVE-2021-4204 and CVE-2022-23222, by tr3e with brief write-ups in Chinese.
Exploits for two bugs in the eBPF code, CVE-2021-4204 and CVE-2022-23222, by tr3e with brief write-ups in Chinese.
GitHub
GitHub - tr3ee/CVE-2021-4204: CVE-2021-4204: Linux Kernel eBPF Local Privilege Escalation
CVE-2021-4204: Linux Kernel eBPF Local Privilege Escalation - tr3ee/CVE-2021-4204
🔥2👍1
Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)
An article by Valentin Obst and Martin Claus covering the Dirty Pipe vulnerability. The article also suggests a few approaches to investigating Linux kernel bugs.
An article by Valentin Obst and Martin Claus covering the Dirty Pipe vulnerability. The article also suggests a few approaches to investigating Linux kernel bugs.
lolcads tech blog
Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)
Intro This blog post reflects our exploration of the Dirty Pipe Vulnerability in the Linux kernel. The bug was discovered by Max Kellermann and described here . If you haven’t read the original publication yet, we’d suggest that you read it first (maybe also…
👍5
Yet another bug into Netfilter
An article by Arthur Mongodin about exploiting an out-of-bounds access in the netfilter subsystem to achieve an info-leak. The article also suggests a potential approach to gain privilege escalation.
An article by Arthur Mongodin about exploiting an out-of-bounds access in the netfilter subsystem to achieve an info-leak. The article also suggests a potential approach to gain privilege escalation.
👍9
io_uring - new code, new bugs, and a new exploit technique
Lam Jun Rong published an article that covers analyzing and exploiting CVE-2021-41073, an invalid-free vulnerability in the io_uring subsystem.
This vulnerability has previously been exploited by Valentina Palmiotti, but that exploit relied on eBPF. The new exploit targets Ubuntu 21.10, where eBPF is not available to unprivileged users.
Lam Jun Rong published an article that covers analyzing and exploiting CVE-2021-41073, an invalid-free vulnerability in the io_uring subsystem.
This vulnerability has previously been exploited by Valentina Palmiotti, but that exploit relied on eBPF. The new exploit targets Ubuntu 21.10, where eBPF is not available to unprivileged users.
👍3
The Android kernel mitigations obstacle race
A great article by Man Yue Mo about exploiting a race condition that leads to a use-after-free vulnerability in the Qualcomm GPU driver for Samsung Galaxy Z Flip3.
The researcher widened the race window to hit the bug reliably, and then bypassed kCFI, automatic variable initialization, and Samsung RKP in the exploit.
A great article by Man Yue Mo about exploiting a race condition that leads to a use-after-free vulnerability in the Qualcomm GPU driver for Samsung Galaxy Z Flip3.
The researcher widened the race window to hit the bug reliably, and then bypassed kCFI, automatic variable initialization, and Samsung RKP in the exploit.
The GitHub Blog
The Android kernel mitigations obstacle race
In this post I’ll exploit CVE-2022-22057, a use-after-free in the Qualcomm gpu kernel driver, to gain root and disable SELinux from the untrusted app sandbox on a Samsung Z flip 3. I’ll look at various mitigations that are implemented on modern Android devices…
👏7🔥1
TripleCross
A Linux eBPF rootkit providing a backdoor with command and control (C2) capabilities, library injection, execution hijacking, persistence, and hiding.
A Linux eBPF rootkit providing a backdoor with command and control (C2) capabilities, library injection, execution hijacking, persistence, and hiding.
🔥6👍3🤔1